1 /* $OpenBSD: tls12_record_layer.c,v 1.40 2023/07/08 20:38:23 beck Exp $ */ 2 /* 3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <limits.h> 19 #include <stdlib.h> 20 21 #include <openssl/evp.h> 22 23 #include "ssl_local.h" 24 25 #define TLS12_RECORD_SEQ_NUM_LEN 8 26 #define TLS12_AEAD_FIXED_NONCE_MAX_LEN 12 27 28 struct tls12_record_protection { 29 uint16_t epoch; 30 uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN]; 31 32 EVP_AEAD_CTX *aead_ctx; 33 34 uint8_t *aead_nonce; 35 size_t aead_nonce_len; 36 37 uint8_t *aead_fixed_nonce; 38 size_t aead_fixed_nonce_len; 39 40 size_t aead_variable_nonce_len; 41 size_t aead_tag_len; 42 43 int aead_xor_nonces; 44 int aead_variable_nonce_in_record; 45 46 EVP_CIPHER_CTX *cipher_ctx; 47 EVP_MD_CTX *hash_ctx; 48 49 int stream_mac; 50 51 uint8_t *mac_key; 52 size_t mac_key_len; 53 }; 54 55 static struct tls12_record_protection * 56 tls12_record_protection_new(void) 57 { 58 return calloc(1, sizeof(struct tls12_record_protection)); 59 } 60 61 static void 62 tls12_record_protection_clear(struct tls12_record_protection *rp) 63 { 64 EVP_AEAD_CTX_free(rp->aead_ctx); 65 66 freezero(rp->aead_nonce, rp->aead_nonce_len); 67 freezero(rp->aead_fixed_nonce, rp->aead_fixed_nonce_len); 68 69 EVP_CIPHER_CTX_free(rp->cipher_ctx); 70 EVP_MD_CTX_free(rp->hash_ctx); 71 72 freezero(rp->mac_key, rp->mac_key_len); 73 74 memset(rp, 0, sizeof(*rp)); 75 } 76 77 static void 78 tls12_record_protection_free(struct tls12_record_protection *rp) 79 { 80 if (rp == NULL) 81 return; 82 83 tls12_record_protection_clear(rp); 84 85 freezero(rp, sizeof(struct tls12_record_protection)); 86 } 87 88 static int 89 tls12_record_protection_engaged(struct tls12_record_protection *rp) 90 { 91 return rp->aead_ctx != NULL || rp->cipher_ctx != NULL; 92 } 93 94 static int 95 tls12_record_protection_unused(struct tls12_record_protection *rp) 96 { 97 return rp->aead_ctx == NULL && rp->cipher_ctx == NULL && 98 rp->hash_ctx == NULL && rp->mac_key == NULL; 99 } 100 101 static int 102 tls12_record_protection_eiv_len(struct tls12_record_protection *rp, 103 size_t *out_eiv_len) 104 { 105 int eiv_len; 106 107 *out_eiv_len = 0; 108 109 if (rp->cipher_ctx == NULL) 110 return 0; 111 112 eiv_len = 0; 113 if (EVP_CIPHER_CTX_mode(rp->cipher_ctx) == EVP_CIPH_CBC_MODE) 114 eiv_len = EVP_CIPHER_CTX_iv_length(rp->cipher_ctx); 115 if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH) 116 return 0; 117 118 *out_eiv_len = eiv_len; 119 120 return 1; 121 } 122 123 static int 124 tls12_record_protection_block_size(struct tls12_record_protection *rp, 125 size_t *out_block_size) 126 { 127 int block_size; 128 129 *out_block_size = 0; 130 131 if (rp->cipher_ctx == NULL) 132 return 0; 133 134 block_size = EVP_CIPHER_CTX_block_size(rp->cipher_ctx); 135 if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH) 136 return 0; 137 138 *out_block_size = block_size; 139 140 return 1; 141 } 142 143 static int 144 tls12_record_protection_mac_len(struct tls12_record_protection *rp, 145 size_t *out_mac_len) 146 { 147 int mac_len; 148 149 *out_mac_len = 0; 150 151 if (rp->hash_ctx == NULL) 152 return 0; 153 154 mac_len = EVP_MD_CTX_size(rp->hash_ctx); 155 if (mac_len <= 0 || mac_len > EVP_MAX_MD_SIZE) 156 return 0; 157 158 *out_mac_len = mac_len; 159 160 return 1; 161 } 162 163 struct tls12_record_layer { 164 uint16_t version; 165 uint16_t initial_epoch; 166 int dtls; 167 168 uint8_t alert_desc; 169 170 const EVP_AEAD *aead; 171 const EVP_CIPHER *cipher; 172 const EVP_MD *handshake_hash; 173 const EVP_MD *mac_hash; 174 175 /* Pointers to active record protection (memory is not owned). */ 176 struct tls12_record_protection *read; 177 struct tls12_record_protection *write; 178 179 struct tls12_record_protection *read_current; 180 struct tls12_record_protection *write_current; 181 struct tls12_record_protection *write_previous; 182 }; 183 184 struct tls12_record_layer * 185 tls12_record_layer_new(void) 186 { 187 struct tls12_record_layer *rl; 188 189 if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL) 190 goto err; 191 if ((rl->read_current = tls12_record_protection_new()) == NULL) 192 goto err; 193 if ((rl->write_current = tls12_record_protection_new()) == NULL) 194 goto err; 195 196 rl->read = rl->read_current; 197 rl->write = rl->write_current; 198 199 return rl; 200 201 err: 202 tls12_record_layer_free(rl); 203 204 return NULL; 205 } 206 207 void 208 tls12_record_layer_free(struct tls12_record_layer *rl) 209 { 210 if (rl == NULL) 211 return; 212 213 tls12_record_protection_free(rl->read_current); 214 tls12_record_protection_free(rl->write_current); 215 tls12_record_protection_free(rl->write_previous); 216 217 freezero(rl, sizeof(struct tls12_record_layer)); 218 } 219 220 void 221 tls12_record_layer_alert(struct tls12_record_layer *rl, uint8_t *alert_desc) 222 { 223 *alert_desc = rl->alert_desc; 224 } 225 226 int 227 tls12_record_layer_write_overhead(struct tls12_record_layer *rl, 228 size_t *overhead) 229 { 230 size_t block_size, eiv_len, mac_len; 231 232 *overhead = 0; 233 234 if (rl->write->aead_ctx != NULL) { 235 *overhead = rl->write->aead_tag_len; 236 } else if (rl->write->cipher_ctx != NULL) { 237 eiv_len = 0; 238 if (rl->version != TLS1_VERSION) { 239 if (!tls12_record_protection_eiv_len(rl->write, &eiv_len)) 240 return 0; 241 } 242 if (!tls12_record_protection_block_size(rl->write, &block_size)) 243 return 0; 244 if (!tls12_record_protection_mac_len(rl->write, &mac_len)) 245 return 0; 246 247 *overhead = eiv_len + block_size + mac_len; 248 } 249 250 return 1; 251 } 252 253 int 254 tls12_record_layer_read_protected(struct tls12_record_layer *rl) 255 { 256 return tls12_record_protection_engaged(rl->read); 257 } 258 259 int 260 tls12_record_layer_write_protected(struct tls12_record_layer *rl) 261 { 262 return tls12_record_protection_engaged(rl->write); 263 } 264 265 void 266 tls12_record_layer_set_aead(struct tls12_record_layer *rl, const EVP_AEAD *aead) 267 { 268 rl->aead = aead; 269 } 270 271 void 272 tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl, 273 const EVP_CIPHER *cipher, const EVP_MD *handshake_hash, 274 const EVP_MD *mac_hash) 275 { 276 rl->cipher = cipher; 277 rl->handshake_hash = handshake_hash; 278 rl->mac_hash = mac_hash; 279 } 280 281 void 282 tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version) 283 { 284 rl->version = version; 285 rl->dtls = ((version >> 8) == DTLS1_VERSION_MAJOR); 286 } 287 288 void 289 tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl, 290 uint16_t epoch) 291 { 292 rl->initial_epoch = epoch; 293 } 294 295 uint16_t 296 tls12_record_layer_read_epoch(struct tls12_record_layer *rl) 297 { 298 return rl->read->epoch; 299 } 300 301 uint16_t 302 tls12_record_layer_write_epoch(struct tls12_record_layer *rl) 303 { 304 return rl->write->epoch; 305 } 306 307 int 308 tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, uint16_t epoch) 309 { 310 if (rl->write->epoch == epoch) 311 return 1; 312 313 if (rl->write_current->epoch == epoch) { 314 rl->write = rl->write_current; 315 return 1; 316 } 317 318 if (rl->write_previous != NULL && rl->write_previous->epoch == epoch) { 319 rl->write = rl->write_previous; 320 return 1; 321 } 322 323 return 0; 324 } 325 326 void 327 tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, uint16_t epoch) 328 { 329 if (rl->write_previous == NULL || rl->write_previous->epoch != epoch) 330 return; 331 332 rl->write = rl->write_current; 333 334 tls12_record_protection_free(rl->write_previous); 335 rl->write_previous = NULL; 336 } 337 338 void 339 tls12_record_layer_clear_read_state(struct tls12_record_layer *rl) 340 { 341 tls12_record_protection_clear(rl->read); 342 rl->read->epoch = rl->initial_epoch; 343 } 344 345 void 346 tls12_record_layer_clear_write_state(struct tls12_record_layer *rl) 347 { 348 tls12_record_protection_clear(rl->write); 349 rl->write->epoch = rl->initial_epoch; 350 351 tls12_record_protection_free(rl->write_previous); 352 rl->write_previous = NULL; 353 } 354 355 void 356 tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl) 357 { 358 memcpy(rl->write->seq_num, rl->read->seq_num, 359 sizeof(rl->write->seq_num)); 360 } 361 362 static const uint8_t tls12_max_seq_num[TLS12_RECORD_SEQ_NUM_LEN] = { 363 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 364 }; 365 366 int 367 tls12_record_layer_inc_seq_num(struct tls12_record_layer *rl, uint8_t *seq_num) 368 { 369 CBS max_seq_num; 370 int i; 371 372 /* 373 * RFC 5246 section 6.1 and RFC 6347 section 4.1 - both TLS and DTLS 374 * sequence numbers must not wrap. Note that for DTLS the first two 375 * bytes are used as an "epoch" and not part of the sequence number. 376 */ 377 CBS_init(&max_seq_num, seq_num, TLS12_RECORD_SEQ_NUM_LEN); 378 if (rl->dtls) { 379 if (!CBS_skip(&max_seq_num, 2)) 380 return 0; 381 } 382 if (CBS_mem_equal(&max_seq_num, tls12_max_seq_num, 383 CBS_len(&max_seq_num))) 384 return 0; 385 386 for (i = TLS12_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { 387 if (++seq_num[i] != 0) 388 break; 389 } 390 391 return 1; 392 } 393 394 static int 395 tls12_record_layer_set_mac_key(struct tls12_record_protection *rp, 396 const uint8_t *mac_key, size_t mac_key_len) 397 { 398 freezero(rp->mac_key, rp->mac_key_len); 399 rp->mac_key = NULL; 400 rp->mac_key_len = 0; 401 402 if (mac_key == NULL || mac_key_len == 0) 403 return 1; 404 405 if ((rp->mac_key = calloc(1, mac_key_len)) == NULL) 406 return 0; 407 408 memcpy(rp->mac_key, mac_key, mac_key_len); 409 rp->mac_key_len = mac_key_len; 410 411 return 1; 412 } 413 414 static int 415 tls12_record_layer_ccs_aead(struct tls12_record_layer *rl, 416 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, 417 CBS *iv) 418 { 419 if (!tls12_record_protection_unused(rp)) 420 return 0; 421 422 if ((rp->aead_ctx = EVP_AEAD_CTX_new()) == NULL) 423 return 0; 424 425 /* AES GCM cipher suites use variable nonce in record. */ 426 if (rl->aead == EVP_aead_aes_128_gcm() || 427 rl->aead == EVP_aead_aes_256_gcm()) 428 rp->aead_variable_nonce_in_record = 1; 429 430 /* ChaCha20 Poly1305 XORs the fixed and variable nonces. */ 431 if (rl->aead == EVP_aead_chacha20_poly1305()) 432 rp->aead_xor_nonces = 1; 433 434 if (!CBS_stow(iv, &rp->aead_fixed_nonce, &rp->aead_fixed_nonce_len)) 435 return 0; 436 437 rp->aead_nonce = calloc(1, EVP_AEAD_nonce_length(rl->aead)); 438 if (rp->aead_nonce == NULL) 439 return 0; 440 441 rp->aead_nonce_len = EVP_AEAD_nonce_length(rl->aead); 442 rp->aead_tag_len = EVP_AEAD_max_overhead(rl->aead); 443 rp->aead_variable_nonce_len = TLS12_RECORD_SEQ_NUM_LEN; 444 445 if (rp->aead_xor_nonces) { 446 /* Fixed nonce length must match, variable must not exceed. */ 447 if (rp->aead_fixed_nonce_len != rp->aead_nonce_len) 448 return 0; 449 if (rp->aead_variable_nonce_len > rp->aead_nonce_len) 450 return 0; 451 } else { 452 /* Concatenated nonce length must equal AEAD nonce length. */ 453 if (rp->aead_fixed_nonce_len + 454 rp->aead_variable_nonce_len != rp->aead_nonce_len) 455 return 0; 456 } 457 458 if (!EVP_AEAD_CTX_init(rp->aead_ctx, rl->aead, CBS_data(key), 459 CBS_len(key), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) 460 return 0; 461 462 return 1; 463 } 464 465 static int 466 tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl, 467 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, 468 CBS *iv) 469 { 470 EVP_PKEY *mac_pkey = NULL; 471 int gost_param_nid; 472 int mac_type; 473 int ret = 0; 474 475 if (!tls12_record_protection_unused(rp)) 476 goto err; 477 478 mac_type = EVP_PKEY_HMAC; 479 rp->stream_mac = 0; 480 481 if (CBS_len(iv) > INT_MAX || CBS_len(key) > INT_MAX) 482 goto err; 483 if (EVP_CIPHER_iv_length(rl->cipher) != CBS_len(iv)) 484 goto err; 485 if (EVP_CIPHER_key_length(rl->cipher) != CBS_len(key)) 486 goto err; 487 488 #ifndef OPENSSL_NO_GOST 489 /* XXX die die die */ 490 /* Special handling for GOST... */ 491 if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) { 492 if (CBS_len(mac_key) != 32) 493 goto err; 494 mac_type = EVP_PKEY_GOSTIMIT; 495 rp->stream_mac = 1; 496 } else { 497 #endif 498 if (CBS_len(mac_key) > INT_MAX) 499 goto err; 500 if (EVP_MD_size(rl->mac_hash) != CBS_len(mac_key)) 501 goto err; 502 #ifndef OPENSSL_NO_GOST 503 } 504 #endif 505 506 if ((rp->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) 507 goto err; 508 if ((rp->hash_ctx = EVP_MD_CTX_new()) == NULL) 509 goto err; 510 511 if (!tls12_record_layer_set_mac_key(rp, CBS_data(mac_key), 512 CBS_len(mac_key))) 513 goto err; 514 515 if ((mac_pkey = EVP_PKEY_new_mac_key(mac_type, NULL, CBS_data(mac_key), 516 CBS_len(mac_key))) == NULL) 517 goto err; 518 519 if (!EVP_CipherInit_ex(rp->cipher_ctx, rl->cipher, NULL, CBS_data(key), 520 CBS_data(iv), is_write)) 521 goto err; 522 523 if (EVP_DigestSignInit(rp->hash_ctx, NULL, rl->mac_hash, NULL, 524 mac_pkey) <= 0) 525 goto err; 526 527 /* More special handling for GOST... */ 528 if (EVP_CIPHER_type(rl->cipher) == NID_gost89_cnt) { 529 gost_param_nid = NID_id_tc26_gost_28147_param_Z; 530 if (EVP_MD_type(rl->handshake_hash) == NID_id_GostR3411_94) 531 gost_param_nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet; 532 533 if (EVP_CIPHER_CTX_ctrl(rp->cipher_ctx, EVP_CTRL_GOST_SET_SBOX, 534 gost_param_nid, 0) <= 0) 535 goto err; 536 537 if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) { 538 if (EVP_MD_CTX_ctrl(rp->hash_ctx, EVP_MD_CTRL_GOST_SET_SBOX, 539 gost_param_nid, 0) <= 0) 540 goto err; 541 } 542 } 543 544 ret = 1; 545 546 err: 547 EVP_PKEY_free(mac_pkey); 548 549 return ret; 550 } 551 552 static int 553 tls12_record_layer_change_cipher_state(struct tls12_record_layer *rl, 554 struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, 555 CBS *iv) 556 { 557 if (rl->aead != NULL) 558 return tls12_record_layer_ccs_aead(rl, rp, is_write, mac_key, 559 key, iv); 560 561 return tls12_record_layer_ccs_cipher(rl, rp, is_write, mac_key, 562 key, iv); 563 } 564 565 int 566 tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl, 567 CBS *mac_key, CBS *key, CBS *iv) 568 { 569 struct tls12_record_protection *read_new = NULL; 570 int ret = 0; 571 572 if ((read_new = tls12_record_protection_new()) == NULL) 573 goto err; 574 575 /* Read sequence number gets reset to zero. */ 576 577 /* DTLS epoch is incremented and is permitted to wrap. */ 578 if (rl->dtls) 579 read_new->epoch = rl->read_current->epoch + 1; 580 581 if (!tls12_record_layer_change_cipher_state(rl, read_new, 0, 582 mac_key, key, iv)) 583 goto err; 584 585 tls12_record_protection_free(rl->read_current); 586 rl->read = rl->read_current = read_new; 587 read_new = NULL; 588 589 ret = 1; 590 591 err: 592 tls12_record_protection_free(read_new); 593 594 return ret; 595 } 596 597 int 598 tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl, 599 CBS *mac_key, CBS *key, CBS *iv) 600 { 601 struct tls12_record_protection *write_new; 602 int ret = 0; 603 604 if ((write_new = tls12_record_protection_new()) == NULL) 605 goto err; 606 607 /* Write sequence number gets reset to zero. */ 608 609 /* DTLS epoch is incremented and is permitted to wrap. */ 610 if (rl->dtls) 611 write_new->epoch = rl->write_current->epoch + 1; 612 613 if (!tls12_record_layer_change_cipher_state(rl, write_new, 1, 614 mac_key, key, iv)) 615 goto err; 616 617 if (rl->dtls) { 618 tls12_record_protection_free(rl->write_previous); 619 rl->write_previous = rl->write_current; 620 rl->write_current = NULL; 621 } 622 tls12_record_protection_free(rl->write_current); 623 rl->write = rl->write_current = write_new; 624 write_new = NULL; 625 626 ret = 1; 627 628 err: 629 tls12_record_protection_free(write_new); 630 631 return ret; 632 } 633 634 static int 635 tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb, 636 uint16_t epoch, uint8_t *seq_num, size_t seq_num_len) 637 { 638 CBS seq; 639 640 CBS_init(&seq, seq_num, seq_num_len); 641 642 if (rl->dtls) { 643 if (!CBB_add_u16(cbb, epoch)) 644 return 0; 645 if (!CBS_skip(&seq, 2)) 646 return 0; 647 } 648 649 return CBB_add_bytes(cbb, CBS_data(&seq), CBS_len(&seq)); 650 } 651 652 static int 653 tls12_record_layer_pseudo_header(struct tls12_record_layer *rl, 654 uint8_t content_type, uint16_t record_len, CBS *seq_num, uint8_t **out, 655 size_t *out_len) 656 { 657 CBB cbb; 658 659 *out = NULL; 660 *out_len = 0; 661 662 /* Build the pseudo-header used for MAC/AEAD. */ 663 if (!CBB_init(&cbb, 13)) 664 goto err; 665 666 if (!CBB_add_bytes(&cbb, CBS_data(seq_num), CBS_len(seq_num))) 667 goto err; 668 if (!CBB_add_u8(&cbb, content_type)) 669 goto err; 670 if (!CBB_add_u16(&cbb, rl->version)) 671 goto err; 672 if (!CBB_add_u16(&cbb, record_len)) 673 goto err; 674 675 if (!CBB_finish(&cbb, out, out_len)) 676 goto err; 677 678 return 1; 679 680 err: 681 CBB_cleanup(&cbb); 682 683 return 0; 684 } 685 686 static int 687 tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb, 688 EVP_MD_CTX *hash_ctx, int stream_mac, CBS *seq_num, uint8_t content_type, 689 const uint8_t *content, size_t content_len, size_t *out_len) 690 { 691 EVP_MD_CTX *mac_ctx = NULL; 692 uint8_t *header = NULL; 693 size_t header_len = 0; 694 size_t mac_len; 695 uint8_t *mac; 696 int ret = 0; 697 698 if ((mac_ctx = EVP_MD_CTX_new()) == NULL) 699 goto err; 700 if (!EVP_MD_CTX_copy(mac_ctx, hash_ctx)) 701 goto err; 702 703 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, 704 seq_num, &header, &header_len)) 705 goto err; 706 707 if (EVP_DigestSignUpdate(mac_ctx, header, header_len) <= 0) 708 goto err; 709 if (EVP_DigestSignUpdate(mac_ctx, content, content_len) <= 0) 710 goto err; 711 if (EVP_DigestSignFinal(mac_ctx, NULL, &mac_len) <= 0) 712 goto err; 713 if (!CBB_add_space(cbb, &mac, mac_len)) 714 goto err; 715 if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0) 716 goto err; 717 if (mac_len == 0) 718 goto err; 719 720 if (stream_mac) { 721 if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx)) 722 goto err; 723 } 724 725 *out_len = mac_len; 726 ret = 1; 727 728 err: 729 EVP_MD_CTX_free(mac_ctx); 730 freezero(header, header_len); 731 732 return ret; 733 } 734 735 static int 736 tls12_record_layer_read_mac_cbc(struct tls12_record_layer *rl, CBB *cbb, 737 uint8_t content_type, CBS *seq_num, const uint8_t *content, 738 size_t content_len, size_t mac_len, size_t padding_len) 739 { 740 uint8_t *header = NULL; 741 size_t header_len = 0; 742 uint8_t *mac = NULL; 743 size_t out_mac_len = 0; 744 int ret = 0; 745 746 /* 747 * Must be constant time to avoid leaking details about CBC padding. 748 */ 749 750 if (!ssl3_cbc_record_digest_supported(rl->read->hash_ctx)) 751 goto err; 752 753 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, 754 seq_num, &header, &header_len)) 755 goto err; 756 757 if (!CBB_add_space(cbb, &mac, mac_len)) 758 goto err; 759 if (!ssl3_cbc_digest_record(rl->read->hash_ctx, mac, &out_mac_len, header, 760 content, content_len + mac_len, content_len + mac_len + padding_len, 761 rl->read->mac_key, rl->read->mac_key_len)) 762 goto err; 763 if (mac_len != out_mac_len) 764 goto err; 765 766 ret = 1; 767 768 err: 769 freezero(header, header_len); 770 771 return ret; 772 } 773 774 static int 775 tls12_record_layer_read_mac(struct tls12_record_layer *rl, CBB *cbb, 776 uint8_t content_type, CBS *seq_num, const uint8_t *content, 777 size_t content_len) 778 { 779 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; 780 size_t out_len; 781 782 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) 783 return 0; 784 785 return tls12_record_layer_mac(rl, cbb, rl->read->hash_ctx, 786 rl->read->stream_mac, seq_num, content_type, content, content_len, 787 &out_len); 788 } 789 790 static int 791 tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb, 792 uint8_t content_type, CBS *seq_num, const uint8_t *content, 793 size_t content_len, size_t *out_len) 794 { 795 return tls12_record_layer_mac(rl, cbb, rl->write->hash_ctx, 796 rl->write->stream_mac, seq_num, content_type, content, content_len, 797 out_len); 798 } 799 800 static int 801 tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, 802 struct tls12_record_protection *rp, CBS *seq_num) 803 { 804 CBB cbb; 805 806 if (rp->aead_variable_nonce_len > CBS_len(seq_num)) 807 return 0; 808 809 /* Fixed nonce and variable nonce (sequence number) are concatenated. */ 810 if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len)) 811 goto err; 812 if (!CBB_add_bytes(&cbb, rp->aead_fixed_nonce, 813 rp->aead_fixed_nonce_len)) 814 goto err; 815 if (!CBB_add_bytes(&cbb, CBS_data(seq_num), 816 rp->aead_variable_nonce_len)) 817 goto err; 818 if (!CBB_finish(&cbb, NULL, NULL)) 819 goto err; 820 821 return 1; 822 823 err: 824 CBB_cleanup(&cbb); 825 826 return 0; 827 } 828 829 static int 830 tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, 831 struct tls12_record_protection *rp, CBS *seq_num) 832 { 833 uint8_t *pad; 834 CBB cbb; 835 int i; 836 837 if (rp->aead_variable_nonce_len > CBS_len(seq_num)) 838 return 0; 839 if (rp->aead_fixed_nonce_len < rp->aead_variable_nonce_len) 840 return 0; 841 if (rp->aead_fixed_nonce_len != rp->aead_nonce_len) 842 return 0; 843 844 /* 845 * Variable nonce (sequence number) is right padded, before the fixed 846 * nonce is XOR'd in. 847 */ 848 if (!CBB_init_fixed(&cbb, rp->aead_nonce, rp->aead_nonce_len)) 849 goto err; 850 if (!CBB_add_space(&cbb, &pad, 851 rp->aead_fixed_nonce_len - rp->aead_variable_nonce_len)) 852 goto err; 853 if (!CBB_add_bytes(&cbb, CBS_data(seq_num), 854 rp->aead_variable_nonce_len)) 855 goto err; 856 if (!CBB_finish(&cbb, NULL, NULL)) 857 goto err; 858 859 for (i = 0; i < rp->aead_fixed_nonce_len; i++) 860 rp->aead_nonce[i] ^= rp->aead_fixed_nonce[i]; 861 862 return 1; 863 864 err: 865 CBB_cleanup(&cbb); 866 867 return 0; 868 } 869 870 static int 871 tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl, 872 uint8_t content_type, CBS *fragment, struct tls_content *out) 873 { 874 if (tls12_record_protection_engaged(rl->read)) 875 return 0; 876 877 return tls_content_dup_data(out, content_type, CBS_data(fragment), 878 CBS_len(fragment)); 879 } 880 881 static int 882 tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, 883 uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out) 884 { 885 struct tls12_record_protection *rp = rl->read; 886 uint8_t *header = NULL; 887 size_t header_len = 0; 888 uint8_t *content = NULL; 889 size_t content_len = 0; 890 size_t out_len = 0; 891 CBS var_nonce; 892 int ret = 0; 893 894 if (rp->aead_xor_nonces) { 895 if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num)) 896 goto err; 897 } else if (rp->aead_variable_nonce_in_record) { 898 if (!CBS_get_bytes(fragment, &var_nonce, 899 rp->aead_variable_nonce_len)) 900 goto err; 901 if (!tls12_record_layer_aead_concat_nonce(rl, rp, &var_nonce)) 902 goto err; 903 } else { 904 if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num)) 905 goto err; 906 } 907 908 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 909 if (CBS_len(fragment) < rp->aead_tag_len) { 910 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 911 goto err; 912 } 913 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { 914 rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 915 goto err; 916 } 917 918 content_len = CBS_len(fragment) - rp->aead_tag_len; 919 if ((content = calloc(1, CBS_len(fragment))) == NULL) { 920 content_len = 0; 921 goto err; 922 } 923 924 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, 925 seq_num, &header, &header_len)) 926 goto err; 927 928 if (!EVP_AEAD_CTX_open(rp->aead_ctx, content, &out_len, content_len, 929 rp->aead_nonce, rp->aead_nonce_len, CBS_data(fragment), 930 CBS_len(fragment), header, header_len)) { 931 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 932 goto err; 933 } 934 935 if (out_len > SSL3_RT_MAX_PLAIN_LENGTH) { 936 rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 937 goto err; 938 } 939 940 if (out_len != content_len) 941 goto err; 942 943 tls_content_set_data(out, content_type, content, content_len); 944 content = NULL; 945 content_len = 0; 946 947 ret = 1; 948 949 err: 950 freezero(header, header_len); 951 freezero(content, content_len); 952 953 return ret; 954 } 955 956 static int 957 tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl, 958 uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out) 959 { 960 EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; 961 SSL3_RECORD_INTERNAL rrec; 962 size_t block_size, eiv_len; 963 uint8_t *mac = NULL; 964 size_t mac_len = 0; 965 uint8_t *out_mac = NULL; 966 size_t out_mac_len = 0; 967 uint8_t *content = NULL; 968 size_t content_len = 0; 969 size_t min_len; 970 CBB cbb_mac; 971 int ret = 0; 972 973 memset(&cbb_mac, 0, sizeof(cbb_mac)); 974 memset(&rrec, 0, sizeof(rrec)); 975 976 if (!tls12_record_protection_block_size(rl->read, &block_size)) 977 goto err; 978 979 /* Determine explicit IV length. */ 980 eiv_len = 0; 981 if (rl->version != TLS1_VERSION) { 982 if (!tls12_record_protection_eiv_len(rl->read, &eiv_len)) 983 goto err; 984 } 985 986 mac_len = 0; 987 if (rl->read->hash_ctx != NULL) { 988 if (!tls12_record_protection_mac_len(rl->read, &mac_len)) 989 goto err; 990 } 991 992 /* CBC has at least one padding byte. */ 993 min_len = eiv_len + mac_len; 994 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) 995 min_len += 1; 996 997 if (CBS_len(fragment) < min_len) { 998 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 999 goto err; 1000 } 1001 if (CBS_len(fragment) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { 1002 rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 1003 goto err; 1004 } 1005 if (CBS_len(fragment) % block_size != 0) { 1006 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 1007 goto err; 1008 } 1009 1010 if ((content = calloc(1, CBS_len(fragment))) == NULL) 1011 goto err; 1012 content_len = CBS_len(fragment); 1013 1014 if (!EVP_Cipher(enc, content, CBS_data(fragment), CBS_len(fragment))) 1015 goto err; 1016 1017 rrec.data = content; 1018 rrec.input = content; 1019 rrec.length = content_len; 1020 1021 /* 1022 * We now have to remove padding, extract MAC, calculate MAC 1023 * and compare MAC in constant time. 1024 */ 1025 if (block_size > 1) 1026 ssl3_cbc_remove_padding(&rrec, eiv_len, mac_len); 1027 1028 if ((mac = calloc(1, mac_len)) == NULL) 1029 goto err; 1030 1031 if (!CBB_init(&cbb_mac, EVP_MAX_MD_SIZE)) 1032 goto err; 1033 if (EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) { 1034 ssl3_cbc_copy_mac(mac, &rrec, mac_len, rrec.length + 1035 rrec.padding_length); 1036 rrec.length -= mac_len; 1037 if (!tls12_record_layer_read_mac_cbc(rl, &cbb_mac, content_type, 1038 seq_num, rrec.input, rrec.length, mac_len, 1039 rrec.padding_length)) 1040 goto err; 1041 } else { 1042 rrec.length -= mac_len; 1043 memcpy(mac, rrec.data + rrec.length, mac_len); 1044 if (!tls12_record_layer_read_mac(rl, &cbb_mac, content_type, 1045 seq_num, rrec.input, rrec.length)) 1046 goto err; 1047 } 1048 if (!CBB_finish(&cbb_mac, &out_mac, &out_mac_len)) 1049 goto err; 1050 if (mac_len != out_mac_len) 1051 goto err; 1052 1053 if (timingsafe_memcmp(mac, out_mac, mac_len) != 0) { 1054 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 1055 goto err; 1056 } 1057 1058 if (rrec.length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_len) { 1059 rl->alert_desc = SSL_AD_BAD_RECORD_MAC; 1060 goto err; 1061 } 1062 if (rrec.length > SSL3_RT_MAX_PLAIN_LENGTH) { 1063 rl->alert_desc = SSL_AD_RECORD_OVERFLOW; 1064 goto err; 1065 } 1066 1067 tls_content_set_data(out, content_type, content, content_len); 1068 content = NULL; 1069 content_len = 0; 1070 1071 /* Actual content is after EIV, minus padding and MAC. */ 1072 if (!tls_content_set_bounds(out, eiv_len, rrec.length)) 1073 goto err; 1074 1075 ret = 1; 1076 1077 err: 1078 CBB_cleanup(&cbb_mac); 1079 freezero(mac, mac_len); 1080 freezero(out_mac, out_mac_len); 1081 freezero(content, content_len); 1082 1083 return ret; 1084 } 1085 1086 int 1087 tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf, 1088 size_t buf_len, struct tls_content *out) 1089 { 1090 CBS cbs, fragment, seq_num; 1091 uint16_t version; 1092 uint8_t content_type; 1093 1094 CBS_init(&cbs, buf, buf_len); 1095 CBS_init(&seq_num, rl->read->seq_num, sizeof(rl->read->seq_num)); 1096 1097 if (!CBS_get_u8(&cbs, &content_type)) 1098 return 0; 1099 if (!CBS_get_u16(&cbs, &version)) 1100 return 0; 1101 if (rl->dtls) { 1102 /* 1103 * The DTLS sequence number is split into a 16 bit epoch and 1104 * 48 bit sequence number, however for the purposes of record 1105 * processing it is treated the same as a TLS 64 bit sequence 1106 * number. DTLS also uses explicit read sequence numbers, which 1107 * we need to extract from the DTLS record header. 1108 */ 1109 if (!CBS_get_bytes(&cbs, &seq_num, SSL3_SEQUENCE_SIZE)) 1110 return 0; 1111 if (!CBS_write_bytes(&seq_num, rl->read->seq_num, 1112 sizeof(rl->read->seq_num), NULL)) 1113 return 0; 1114 } 1115 if (!CBS_get_u16_length_prefixed(&cbs, &fragment)) 1116 return 0; 1117 1118 if (rl->read->aead_ctx != NULL) { 1119 if (!tls12_record_layer_open_record_protected_aead(rl, 1120 content_type, &seq_num, &fragment, out)) 1121 return 0; 1122 } else if (rl->read->cipher_ctx != NULL) { 1123 if (!tls12_record_layer_open_record_protected_cipher(rl, 1124 content_type, &seq_num, &fragment, out)) 1125 return 0; 1126 } else { 1127 if (!tls12_record_layer_open_record_plaintext(rl, 1128 content_type, &fragment, out)) 1129 return 0; 1130 } 1131 1132 if (!rl->dtls) { 1133 if (!tls12_record_layer_inc_seq_num(rl, rl->read->seq_num)) 1134 return 0; 1135 } 1136 1137 return 1; 1138 } 1139 1140 static int 1141 tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl, 1142 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out) 1143 { 1144 if (tls12_record_protection_engaged(rl->write)) 1145 return 0; 1146 1147 return CBB_add_bytes(out, content, content_len); 1148 } 1149 1150 static int 1151 tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl, 1152 uint8_t content_type, CBS *seq_num, const uint8_t *content, 1153 size_t content_len, CBB *out) 1154 { 1155 struct tls12_record_protection *rp = rl->write; 1156 uint8_t *header = NULL; 1157 size_t header_len = 0; 1158 size_t enc_record_len, out_len; 1159 uint8_t *enc_data; 1160 int ret = 0; 1161 1162 if (rp->aead_xor_nonces) { 1163 if (!tls12_record_layer_aead_xored_nonce(rl, rp, seq_num)) 1164 goto err; 1165 } else { 1166 if (!tls12_record_layer_aead_concat_nonce(rl, rp, seq_num)) 1167 goto err; 1168 } 1169 1170 if (rp->aead_variable_nonce_in_record) { 1171 if (rp->aead_variable_nonce_len > CBS_len(seq_num)) 1172 goto err; 1173 if (!CBB_add_bytes(out, CBS_data(seq_num), 1174 rp->aead_variable_nonce_len)) 1175 goto err; 1176 } 1177 1178 if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, 1179 seq_num, &header, &header_len)) 1180 goto err; 1181 1182 /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ 1183 enc_record_len = content_len + rp->aead_tag_len; 1184 if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) 1185 goto err; 1186 if (!CBB_add_space(out, &enc_data, enc_record_len)) 1187 goto err; 1188 1189 if (!EVP_AEAD_CTX_seal(rp->aead_ctx, enc_data, &out_len, enc_record_len, 1190 rp->aead_nonce, rp->aead_nonce_len, content, content_len, header, 1191 header_len)) 1192 goto err; 1193 1194 if (out_len != enc_record_len) 1195 goto err; 1196 1197 ret = 1; 1198 1199 err: 1200 freezero(header, header_len); 1201 1202 return ret; 1203 } 1204 1205 static int 1206 tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl, 1207 uint8_t content_type, CBS *seq_num, const uint8_t *content, 1208 size_t content_len, CBB *out) 1209 { 1210 EVP_CIPHER_CTX *enc = rl->write->cipher_ctx; 1211 size_t block_size, eiv_len, mac_len, pad_len; 1212 uint8_t *enc_data, *eiv, *pad, pad_val; 1213 uint8_t *plain = NULL; 1214 size_t plain_len = 0; 1215 int ret = 0; 1216 CBB cbb; 1217 1218 if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH)) 1219 goto err; 1220 1221 /* Add explicit IV if necessary. */ 1222 eiv_len = 0; 1223 if (rl->version != TLS1_VERSION) { 1224 if (!tls12_record_protection_eiv_len(rl->write, &eiv_len)) 1225 goto err; 1226 } 1227 if (eiv_len > 0) { 1228 if (!CBB_add_space(&cbb, &eiv, eiv_len)) 1229 goto err; 1230 arc4random_buf(eiv, eiv_len); 1231 } 1232 1233 if (!CBB_add_bytes(&cbb, content, content_len)) 1234 goto err; 1235 1236 mac_len = 0; 1237 if (rl->write->hash_ctx != NULL) { 1238 if (!tls12_record_layer_write_mac(rl, &cbb, content_type, 1239 seq_num, content, content_len, &mac_len)) 1240 goto err; 1241 } 1242 1243 plain_len = eiv_len + content_len + mac_len; 1244 1245 /* Add padding to block size, if necessary. */ 1246 if (!tls12_record_protection_block_size(rl->write, &block_size)) 1247 goto err; 1248 if (block_size > 1) { 1249 pad_len = block_size - (plain_len % block_size); 1250 pad_val = pad_len - 1; 1251 1252 if (pad_len > 255) 1253 goto err; 1254 if (!CBB_add_space(&cbb, &pad, pad_len)) 1255 goto err; 1256 memset(pad, pad_val, pad_len); 1257 } 1258 1259 if (!CBB_finish(&cbb, &plain, &plain_len)) 1260 goto err; 1261 1262 if (plain_len % block_size != 0) 1263 goto err; 1264 if (plain_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) 1265 goto err; 1266 1267 if (!CBB_add_space(out, &enc_data, plain_len)) 1268 goto err; 1269 if (!EVP_Cipher(enc, enc_data, plain, plain_len)) 1270 goto err; 1271 1272 ret = 1; 1273 1274 err: 1275 CBB_cleanup(&cbb); 1276 freezero(plain, plain_len); 1277 1278 return ret; 1279 } 1280 1281 int 1282 tls12_record_layer_seal_record(struct tls12_record_layer *rl, 1283 uint8_t content_type, const uint8_t *content, size_t content_len, CBB *cbb) 1284 { 1285 uint8_t *seq_num_data = NULL; 1286 size_t seq_num_len = 0; 1287 CBB fragment, seq_num_cbb; 1288 CBS seq_num; 1289 int ret = 0; 1290 1291 /* 1292 * Construct the effective sequence number - this is used in both 1293 * the DTLS header and for MAC calculations. 1294 */ 1295 if (!CBB_init(&seq_num_cbb, SSL3_SEQUENCE_SIZE)) 1296 goto err; 1297 if (!tls12_record_layer_build_seq_num(rl, &seq_num_cbb, rl->write->epoch, 1298 rl->write->seq_num, sizeof(rl->write->seq_num))) 1299 goto err; 1300 if (!CBB_finish(&seq_num_cbb, &seq_num_data, &seq_num_len)) 1301 goto err; 1302 CBS_init(&seq_num, seq_num_data, seq_num_len); 1303 1304 if (!CBB_add_u8(cbb, content_type)) 1305 goto err; 1306 if (!CBB_add_u16(cbb, rl->version)) 1307 goto err; 1308 if (rl->dtls) { 1309 if (!CBB_add_bytes(cbb, CBS_data(&seq_num), CBS_len(&seq_num))) 1310 goto err; 1311 } 1312 if (!CBB_add_u16_length_prefixed(cbb, &fragment)) 1313 goto err; 1314 1315 if (rl->write->aead_ctx != NULL) { 1316 if (!tls12_record_layer_seal_record_protected_aead(rl, 1317 content_type, &seq_num, content, content_len, &fragment)) 1318 goto err; 1319 } else if (rl->write->cipher_ctx != NULL) { 1320 if (!tls12_record_layer_seal_record_protected_cipher(rl, 1321 content_type, &seq_num, content, content_len, &fragment)) 1322 goto err; 1323 } else { 1324 if (!tls12_record_layer_seal_record_plaintext(rl, 1325 content_type, content, content_len, &fragment)) 1326 goto err; 1327 } 1328 1329 if (!CBB_flush(cbb)) 1330 goto err; 1331 1332 if (!tls12_record_layer_inc_seq_num(rl, rl->write->seq_num)) 1333 goto err; 1334 1335 ret = 1; 1336 1337 err: 1338 CBB_cleanup(&seq_num_cbb); 1339 free(seq_num_data); 1340 1341 return ret; 1342 } 1343